in reply to Insecure dependency in open while running with -T switch

however I am getting message "Insecure dependency in `` while running with -T switch at /...../YYY.cgi line 252." which calls my script in a way

my @arr = `perl -wT $XXXfile $inp_file $outfile 'param'`;

Is YYY.cgi also running with the taint switch on? In that case you have to launder both $XXXfile, $inp_file and $outfile before you use them in your backticks call.

Again from the docs (perlsec):

Tainted data may not be used directly or indirectly in any command that invokes a sub-shell, (...)

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

Replies are listed 'Best First'.
Re^2: Insecure dependency in open while running with -T switch
by vit (Friar) on Jan 18, 2008 at 23:20 UTC
    Got it, Thank you very much
[reply]
      Acually I have one more question. My file is a path to file like /yyy/xxx/file.txt
      Symbol "/" or "\" is always tainted as far as I understand. Untainting just file.txt is not enough.
      So what to do?
[reply]
        Symbol "/" or "\" is always tainted as far as I understand.
        You understand incorrectly. "/" and "\" is fine if that is what you allow in your regular expression to untaint the data.
[reply]

In Section Seekers of Perl Wisdom